Monthly Archives: July 2017

China’s latest move to crackdown on VPN software that enables people to circumvent its internet censorship system appears to be a very worrying one.

Bloomberg reports that the government has requested that state-run telecom operators prevent their customers from running VPN apps on their network. Citing sources, the publication said that the government intends for the VPN block to come into effect by February 1 2018.

The impact of such a move would be enormous. China Mobile (860 million subscribers), China Unicom (268 million subscribers) and China Telecom (227 million subscribers) are the biggest three telcos and each is stated-owned.

An effective block on VPNs would mean that these customers would be unable to access websites blocked by the government. Beyond social networks like Facebook and Twitter, that would include news sites and web pages deemed unsuitable for consumption in China. The New York Times and Wall Street Journal are among international news sites blocked in China, according to censorship monitoring service Great Fire.

Beyond restricting access to information, a universal VPN ban would make it difficult for some companies and employees based in China to do business. A recent SCMP articlehighlighted individuals impacted by China’s ongoing VPN crackdown — they included an environmental research­er who relies on Google Docs for collaboration and a Shanghai-based curator who works with artists overseas.

It isn’t for sure that this move will happen, even if there have been hints of aggressive policing of censorship avoidance. In 2015, it the Chinese government cut mobile access for some VPN users in Northwest province Xinjiang, an area that’s home to many ethnic minority groups and frequently a testbed for internet censorship. A nationwide clampdown, however, would be far more radical and wide-ranging.

Beijing has played cat and mouse with VPN providers over the past few years. In January, it made government approval mandatory for China-based companies offering VPNs. Essentially that made many local services illegal.

It has acted on that, too. It recently forced two popular Chinese VPN services to close, but those based overseas continue to evade its reach. That could be one reason why it is considering this extreme approach to stamping VPN usage out altogether.

Bloomberg’s report comes just over a month after China instituted a wide-ranging set of cybersecurity laws that could potentially impact foreign businesses. The exact scope of the new regulations, which come into full effect in 2018, is unclear, but they require certain data to be stored on Chinese which has raised concern among free speech organizations.

via:  techcrunch

Loews Hotels also added to data leak list.

Two more hotel chains are warning customers they were caught by the breach of Sabre’s “SynXis” hotel booking service that emerged earlier this year.

Last Thursday, the Hard Rock chain warned that customers of 11 of its properties may have been caught up in the breach.

According to Hard Rock’s confession, Sabre advised it the system breach ran from August 2016 to March 2017.

Hard Rock properties in Biloxi, Cancun, Chicago, Goa, Las Vegas, Palm Springs, Panama, Punta Cana, Rivera Maya, San Diego and Vallarta used the system.

Hard Rock was hit by carders in 2015, but that breach only affected its Las Vegas hotel and casino.

NBC Philadelphia reports high-polish hotel chain Loews Hotels was also stung.

Last week, Sabre issued a canned statement with the not-entirely-reassuring detail that the attackers only got full card information (customer, card number and security number) for some holiday-makers: “a large percentage of bookings were made without a security code being provided. Others were processed using virtual card numbers in lieu of consumer credit cards”.

Further: “Personal information such as social security, passport or driver’s license number was not accessed”. The company has created a consumer information site for Americans who think their data may have been accessed.

Back in May, Sabre revealed its SynXis hotel booking management system was compromised, and at the end of June, Google told employees to watch out for suspicious activity on their cards, because one of its travel agencies, Carlson Wagonlit Travel, was potentially exposed to the SynXis breach.

via:  theregister.co.uk

When people say there’s a security skills gap, this is what they really mean.

Incident Investigation and Security Analysis

As organizations drown in alerts and try to figure out a way to prioritize incidents for investigation, automation will play a huge role in stopping the insanity. But that won’t ever replace the importance of smart people to direct the automation, and follow up with human intuition and foresight to move investigations forward and mitigate the root problems. According to a recent study by ESG on behalf of ISSA, the roles that enterprises have the most difficulty filling are those involving incident investigation and analysis. That figure is validated by CompTIA, which also found that skilled security analysts are the hardest-to-find security specialists in today’s market.

Cloud Security Wisdom

With organizations increasingly moving their development activities, data and even application workloads to the cloud, they need security practitioners who know how to secure complex hybrid environments. According to one survey by Intel, 93% of organizations at this point use cloud services in one form or another and 62% store sensitive information in the cloud. Yet, just under half say that their effective use of the cloud is stymied by a lack of cybersecurity skills in this arena.

Industry Know-How

Dark Reading’s 2017 Security Staffing Survey shows that most people in charge of hiring security talent believe there is at least some kind of skills shortage on the market. Some of the biggest shortages are not necessarily specific to roles or technical competencies but instead a familiarity with the kind of business they are trying to protect. According to the survey, nearly three times as many hiring managers look for people with experience in defending organizations similar to their own than they seek a formal education in cybersecurity.

Hands-On Training

This de-emphasis on formal education seems to be a common theme picked up in cybersecurity workforce surveys. A recent survey conducted by ISACA reconfirmed it, as survey respondents reported that their biggest concern is finding people who not only know a lot about security but who have put that knowledge to the test in the real world. That hands-on acquisition of skills easily beat out formal education, special training, and certification by a significant margin.

People Skills

As DevSecOps drives organizations to be more collaborative, security personnel at all levels must increasingly learn to play nicely with others in IT and beyond. Dark Reading’s 2017 Security Staffing Survey found that over half of IT pros believe the most in-demand skill in filling security roles are technical people with soft skills, like communication.

Business Acumen

By rights, security professionals should be working as internal consultants to help organizations minimize risk as much as possible while still carrying out the kind of digital transformations that will enable them to stay competitive in the app economy. A recent CompTIA report found that the number one biggest overall IT skills gap category that is impacting digital transformations is the one having to do with aligning technology with business objectives. If security professionals are going to act in that consultative role, they need to understand both general business principles and the specific business concerns unique to their organization.

via:  darkreading

Facebook is expanding one of its newer features designed to help mobile users find accessible Wi-Fi networks. The company had begun testing a “Find Wi-Fi” option last year on mobile, which highlighted free, public Wi-Fi networks nearby. At the time, the option was only available on iOS in select countries, as something of a test. Today, Facebook announced users worldwide on both iOS and Android devices will soon gain access to “Find Wi-Fi.”

The company explains the addition is useful for those times when you’re traveling, but especially so when you’re in an area where cellular data is “scarce,” it says.

In developed markets like the U.S., that could mean more remote, rural locations, but in emerging markets, it’s an even more powerful tool as users often have limited data plans, and spotty cellular coverage in general.

The feature, like other new additions to Facebook’s portal, is found under the “More” tab in the Facebook mobile app. Once you locate the “Find Wi-Fi” tab, Facebook notes you may need to turn it on. Afterwards, Facebook will display a map showing the closest hotspots, as well as details about the businesses that provide them.

Besides being a handy addition that helps Facebook’s now 2 billion monthly users stay connected to the network and spend more time in its app – something that directly impacts Facebook’s bottom line – the tool also serves as another way to discover local businesses. That means users might start turning to Facebook to find the closest coffee shop with Wi-Fi, instead of Google Maps.

But the feature isn’t as of yet as reliable as it should be, we found – though it easily picked up Wi-Fi hotspots at nearby restaurants and malls, for example, it didn’t include the closest Starbucks or McDonald’s in our list of suggestions. (Your mileage may vary.)

This is because, for the feature to work, a business must first claim their Wi-Fi network by navigating to their “Edit Page Info” on their Facebook Page. Or, more simply put, it’s an opt-in setting. That being said, the feature has seen good adoption during the tests starting last year. And now that businesses know it’s a globally available feature, that adoption may increase.

A tool for listing Wi-Fi networks is hardly Facebook’s only effort with regard to helping users with mobile connectivity. The company has much larger projects underway in this area, including efforts via its Internet.org arm to expand mobile connectivity in emerging markets,infrastructure investments around the world, plans to use solar-powered drones for delivering connectivity and more.

Facebook says “Find Wi-Fi” is beginning to roll out globally on iPhone and Android.

https://www.facebook.com/facebook/videos/10155980160956729/

via:  techcrunch

Fighting to head off Department of Defense blacklisting.

Eugene Kaspersky, founder of the eponymous antivirus firm, has reiterated his offer to give the US government access to his source code.

The company is moving to try and head off budget legislation which, as we wrote last week, would shut Kaspersky out of American military contracts.

The US Senate committee that’s proposed the ban cites concerns about the company’s alleged links to the Russian government.

Visiting Australia in May for the CeBIT conference, Kaspersky said he was willing to let the US look through his company’s products’ source code, and in an interview with the Associated Press over the weekend reiterated the offer.

Speaking at his Moscow HQ, Kaspersky said: “If the United States needs, we can disclose the source code,” adding that he’s prepared to testify to US lawmakers if needed.

He also claimed that unnamed government agencies – not necessarily Russian – had tried to gauge his interest in moving from defensive research to offensive, but he said: “I don’t even want to talk about it.”

Kaspersky-the-founder also suggested Kaspersky-the-company could conduct some of its research in the USA, if that helped.

The company has been suffering escalating attacks in the US. Before the Senate’s Armed Services Committee made its recommendation, several Kaspersky staff in America were raided by FBI agents and questioned. The Feds reportedly told them there was no criminal investigation, but that the FBI wanted to know how (and if) any information was shared with Russia.

As The Register noted at the time of the raids, both founder and company have been under attack by way of various hit-pieces since at least 2015.

via:  theregister.co.uk

Google has notified some employees that their personal information may have been compromised as a result of the data breach suffered by travel technology firm Sabre.

Sabre informed customers in early May that it had launched an investigation after detecting unauthorized access to its SynXis Central Reservation System, a rate and inventory management product used by more than 32,000 hotels worldwide.

The company said the hackers had managed to access personally identifiable data, payment card details and other information. An investigation revealed that the attackers gained access to the system after hijacking an internal account on the SynXis platform.

In a letter sent out to affected employees, Google said it learned of the breach on June 16 from Carlson Wagonlit Travel (CWT), one of the companies used by the tech giant to book business travel and one of the many organizations that uses the SynXis product. Google pointed out that the breach did not impact its own systems.

Google told employees their name, contact information and payment card details may have been stolen by attackers, who had access to the reservations system between August 10, 2016 and March 9, 2017.

“Sabre’s investigation discovered no evidence that information such as Social Security, passport, and driver’s license numbers were accessed,” Google said. “However, because the SynXis CRS deletes reservation details 60 days after the hotel stay, we are not able to confirm the specific information associated with every affected reservation.”

Google has decided to offer affected employees two years of identity protection and credit monitoring services.

Sabre has yet to provide an update on this incident. The company has alerted law enforcement and payment card issuers, and contracted Mandiant to assist its investigation.

UPDATE. Sabre told SecurityWeek it has completed its investigation into this incident and determined that payment card data was accessed only for a “limited subset of hotel reservations” processed through the SynXis system. According to the company, a large percentage of bookings were made without a security code and using virtual card numbers.

Other personal information was not compromised and there was no evidence that other systems were affected. Sabre also noted that its forensic investigation uncovered no evidence of data being removed from the system by the hacker, but the company admits it’s a possibility.

Sabre stated, “Not all of our SHS customers had reservations that were accessed, and even for those that did have reservations that were viewed, it varied with regard to the percentage of reservations that were accessed. We have engaged Epiq Systems to provide complimentary consumer notice support for those customers that determine they have a notification obligation. The data submitted to the SHS reservation system varied, as well as the geographic locations of both our customers and their respective guests, so we have worked to provide those Sabre customers that had reservations that were viewed with all available information to evaluate their affected reservations and customer lists.”

The company has set up a consumer website related to the affected reservations.

via:  securityweek

A small but growing number of cybersecurity companies are introducing warranty programs that can serve as insurance against the cost of a potential data breach.

The hackers are winning, so the market for cybersecurity insurance is booming. Today businesses accept that they are likely to be breached no matter how much they spend on defenses, and they’ve begun looking for someone to share the cost. Pricing the risk is difficult, however (see “Insurers Scramble to Put a Price on a Cyber Catastrophe”). And that has created a new opportunity for security companies confident enough to warranty their products.

Companies will spend $7.5 billion on cybersecurity insurance in 2020 (up from an estimated $2.5 billion in 2015), according to a recent projection by PricewaterhouseCoopers. The ballooning market reflects how common cybercrime has become—and the fact that cybersecurity companies are not financially accountable when something goes wrong.

Jeremiah Grossman, chief of security strategy at SentinelOne, which sells antimalware systems, says that should change. To align its financial interests with its customers’, SentinelOne offers a warranty that puts the company on the hook for up to $1,000,000 if the customer falls victim to a ransomware attack, in which hackers break in and encrypt data before demanding a ransom to unlock it. Other cybersecurity startups, as well as big players like Symantec and McAfee, now similarly promise to pay up if their product or service fails.

Grossman says his 10-month-old warranty program has already given his company a leg up on its competitors.

It is too early to say whether cybersecurity warranties will amount to anything more than marketing ploys, says Steve Durbin, managing director of the Information Security Forum, a nonprofit organization that develops recommendations for the best way to manage information security risks. But some vendors have gathered valuable information by monitoring the performance of their products over the years, and that potentially puts them in a strong position to “plug a little bit of a gap” in the insurance market, he says.

In evaluating these risks, cybersecurity firms have an advantage over traditional insurance companies, because they have crucial data that can only come from analyzing real events like the data breaches they themselves have experienced. Traditional insurers, by contrast, are just beginning to assess the full risks of doing business in cyberspace.

That helps explain why insurers, including AIG, are getting behind these new warranty programs. (AIG declined to comment for this story.)

Grossman’s company has its own data on the risk that its system will miss a ransomware attack. Those numbers helped convince an established liability insurer (as part of the arrangement, SentinelOne does not reveal this company’s name publicly) to back its warranty.

Many of the data breaches we have seen could have been avoided if businesses had patched their systems adequately. For example, the WannaCry ransomware attack that began in May takes advantage of old, unpatched Microsoft operating systems. Companies that sign up for these programs will get a payout only if they follow proper security practices.

AsTech Consulting, whose service entails analyzing a business’s source code to identify vulnerabilities, working with the company to fix them, and training employees not to reintroduce them, recently began offering a guarantee that customers who follow the process and still suffer a breach will be compensated up to $1,000,000.

If a company’s risk is “measurably going down,” a result AsTech says its process has been shown to achieve over the past 20 years, that will attract insurance companies because they will better know and manage their risk, says CEO Greg Reber. “That’s a pretty good market.”

via: technologyreview

The Girl Scouts are going to be offering 18 merit badges in cybersecurity, to scouts as young as five years old.

A Girl Scout works on a laptop computer, in a photo released June 21, 2017.

Cookie sales may take a back seat to fighting identity theft and other computer crime now that Girl Scouts as young as 5 are to be offered the chance to earn their first-ever cyber security badges.

Armed with a needle and thread, U.S. Girl Scouts who master the required skills can attach to their uniform’s sash the first of 18 cyber security badges that will be rolled out in September 2018, Girl Scouts of the USA said in a press release.

The education program, which aims to reach as many as 1.8 million Girl Scouts in kindergarten through sixth grade, is being developed in a partnership between the Girl Scouts and Palo Alto Networks (PANW.N), a security company.

The goal is to prevent cyber attacks and restore trust in digital operations by training “tomorrow’s diverse and innovative team of problem solvers equipped to counter emerging cyber threats,” Mark McLaughlin, chief executive officer of Palo Alto Networks, said in the release.

The move to instill “a valuable 21st century skill set” in girls best known for cookie sales is also aimed at eliminating barriers to cyber security employment, such as gender and geography, said Sylvia Acevedo, the CEO of the Girl Scouts of the USA.

Women remain vastly underrepresented in the cyber security industry, holding just 11 percent of jobs globally, according to a recent study by (ISC)2, an international nonprofit focused on cyber security.

“In our increasingly tech-driven world, future generations must possess the skills to navigate the complexities and inherent challenges of the cyber realm,” Acevedo said in the release.

“From arming older girls with the tools to address this reality to helping younger girls protect their identities via internet safety, the launch of our national cyber security badge initiative represents our advocacy of cyber preparedness,” she said.

via:  reuters

#3 – Bad passwords

Yeah, yeah, yeah, I know everyone has heard this a million times, but let’s discuss it from a hacker’s perspective.   I’ll start by saying most password policies suck and here is why.  

Let’s examine a typical password policy. 

8+ Characters

3 or more of the following

• Upper Case Letters
• Lower Case Letters
• Numbers
• Special Characters

Password must be changed every 90 days

These types of password policies actually encourage easy to guess passwords that tend to be use by multiple users.   This gives me the ability to easily extrapolate your most common passwords based on what I know, and use this to break into your corporate network.   Here is how it works:

Employees like to use predictable passwords and bad guys use this to perform password guessing attacks against a large group of users.  This is an extremely common vector that still works against almost all companies.   The basics are this, we enumerate users (generally through linkedin and google)…then find a login portal most users are all likely to have access to and guess 1 password against all of the users.  Traditional brute force techniques one one-user-at-a-time, cause the user to get locked out and trip alarms. Good hackers avoid alarms. A reverse brute force or password spraying attack tends to evade detection and provide almost guaranteed access to most networks.

One time we identified a few passwords we felt most likely to get us access to this network.   (In this case we were performing the attack against Outlook Web App) – This particular time we guessed 1 password (it was something like Summer16) and used it against 800 user accounts. We logged onto about 50 user accounts with this exact same password.    Of those users, we identified 15 with VPN access, and 2 with local admin access.   We were able to use the VPN access to compromise the 2 machines with local admin access, dump the local admin credentials.  This company was reusing local admin passwords across multiple systems.   This gave us the ability to spread to key user systems to gain domain admin rights–control over the domain controller.    Game Over – The entire attack from start to domain admin took less than 3 hours.  

The moral of this story is that weak or guessable passwords are a major cause of data breaches and tend to be an easy way into any network that doesn’t enforce multi-factor authentication.  Password length is significantly more important than complexity.   My advice is to forget about password complexity and just make all of your passwords longer.   Use a phrase and keep it over 15 characters.   

Don’t let the possibility of dictionary attacks [link to definition] overshadow their real world frequency. Those that neglect the human factor get burned by their own tech. Passphrases yield greater assurance without the unintended human consequences.    

One other moral – Never reuse local admin passwords – this a guaranteed way to turn an isolated incident into a domain breach.   Check out the Microsoft LAPS tool if you need help managing unique local admin passwords.  

#2 – Phishing 4 Passwords

Phishing is a guaranteed way to get users to give up passwords, one-time passcodes, infect their computers or hand over countless other forms of sensitive information.   This is every hacker’s go-to move to gain access into your organization’s networks.   Not only do they gain access to your network, but they gain the level of access the user’s they phished have.   This single attack can bypass most of the organization’s security controls designed to keep hackers out.  

So, here is how I get your users to give me their credentials and a backdoor into their employer’s network in a single attack.  

First, I craft an email telling your users about some technology upgrade that was performed the previous night and tell them that they can access it and check out the new tech if they choose.   I’ll then provide them with a web page that looks very real like login.microsoftweblogin.com (I actually own microsoftweblogin.com). At this website I’ll clone a legitimate login page and put a keylogger on the page.   Now when the user types their username and password I’ll see what they type as they type it.   Next I add a nice application addon that prompts the user to open run it.   This application might be called something like “Microsoft Web Essentials”.    So the browser asks them something to the regard of:  “Would you like to run Microsoft Web Essentials?”  When the user clicks run I have a backdoor on their system.   From this point it’s only a matter of time until we get complete control of your networks and systems. 

#1 – How to get domain admin over the phone

This story is hilarious, but a cautionary tale nonetheless.     During our assessments we test human weaknesses as well as computer weaknesses.    As part of this testing we make phone calls to get information, (such as password policy) or to get users to go to our site and run our custom malware that gives us backdoor access to their machine.   On one such occasion I called up hoping to get a help desk technician to go to my site that hosts my malware.   This is where it gets interesting. 

This is a law firm – So obviously I call in pretending to be a Partner in the firm.   I tell them about how I’m trying to run this analytics software a stock market analyst buddy of mine shared with me and how it won’t run.   (We had already discovered that application whitelisting security software was preventing unknown, unapproved software from running on their endpoints.)  At this point the helpdesk employee interrupts my plea for help and says “It’s okay, just use my account”  –He proceeds to give me his username and password over the phone.  

Facepalm! – His password was P@ssword1

Next, I take those credentials and I log into the VPN that we discovered during our recon where we learn everything we can about the company and what it has on the internet.    Voila – the credentials work.   Now I am on the network and we use the credentials to compromise the machine of the helpdesk employee we were talking to and immediately discover that these credentials were in the “Domain Admins” group and that we just compromised the entire domain “Over the phone!”

This is an extreme example with the obvious lessons: don’t give passwords over the phone; don’t even share them with your everyday peers.

But the less obvious lesson, hackers don’t just exploit human trust. We also exploit fear. I’m confident this person had been bullied many times by VIP’s in that law firm. So, this is yet another example where tech burns those failing to account for human weaknesses. Worse, this non-technical root cause is just the sort of thing executives excel at fixing. The C-suite must ensure that all employees, especially themselves and other VIP’s, know that the C-suite has the backs of all those that enforce cyber policies.

This example also illustrates another lesson. The help desk person violated policy.  Policies atrophy to uselessness if they are not exercised, measured, and reported. The law firm assumed its policies were consistently enforced. Our pen test proved otherwise. Our client learned something useful before something catastrophic happened. BTW, if your organization relies only on traditional pen tests to test your organization’s human readiness, then it’s not cyber ready. I’ve love to see a good survey on this. I’d be shocked if more than 10% of enterprises exercise, measure, and report the human readiness underlying more than a few of their cyber policies.

via:  peoplesec

Following its Verizon acquisition, Yahoo today is rolling out a revamped and rebuilt Mail application for its 225 million monthly active users. The update includes a new design, feature set, and technology stack, as well as a new subscription plan for desktop and mobile called Yahoo Mail Pro.

The news is part of several changes ahead for Yahoo, under its new corporate parent  – Oath, the combination of Yahoo and AOL (which also owns TechCrunch) – all of which are now operated by Verizon. For example, earlier this week, Yahoo was found to be exiting a prior deal with AT&T, which had allowed customers with AT&T email addresses to log into Yahoo websites.

However, despite Yahoo Mail’s technology overhaul and redesign – which does present a nicer-looking, better-functioning version of the product than we’ve seen in the past – it may be difficult for Yahoo to attract new users to its email service. The company was famously plagued by two massive security breaches affecting more than a billion users, which ended up knocking $350 million off the asking price for the Verizon/Yahoo deal that closed in Junefor $4.5 billion.

Simply put, email is a product where users conduct their lives, businesses, and share personal and private information. Yahoo’s history doesn’t inspire trust, given its data breaches were some of the largest in internet history. That’s unfortunate, in a way, because Google deserves to have real competition for its dominating Gmail service, which crossed the 1 billion monthly active user mark last year.

There are three main parts to the Yahoo Mail revamp, beginning with a rebuilt front-end tech stack, that now leverages open source technologies like React, Redux, Node.js, react-intl, and others. The goal, here, is to be able to deliver a Yahoo Mail service that’s faster to launch, and generally better for low-bandwidth and international users, in particular.

Yahoo says its optimizations have been able to reduce its JavaScript and CSS footprint by 50 percent, compared with the earlier desktop product, which means the app will launch much faster. Search and reading messages is also faster, as a result.

In addition, the new product reduces the memory used by the browser, is more reliable, more accessible, and is built in a way that will allow its developers to be more agile in terms of updates and other pushes.

For Yahoo Mail users, however, these changes will be under-the-hood, and not necessarily noticed beyond an overall sense that the app seems quicker. More obvious will be the redesign and new feature set.

The updated look of Yahoo Mail is one of a much cleaner, more modern app. It looks like something built in 2017 instead of old, legacy product that kept getting painted over throughout the years. It also reminds us a bit of Microsoft’s Outlook.com in terms of its interface, rather than Gmail’s highly functional, but not so pretty, inbox.

Here’s the old product:

And here’s the new one:

Items in the new inbox have more spacing in between them, which makes it feel less cluttered, but is not ideal for those who receive a large number of emails.

The app can now be personalized with new colorful themes, introduces stationary, and email writers can use the emoji set that Twitter open sourced in their messages.

Yahoo has also taken inspiration from a number of newer email apps to make it easier for users to find certain kinds of messages. On the left-side navigation, Yahoo Mail will offer links to automatically created folders that collect your Photos and your Documents, for quick access.

There are other little tweaks as well, such as rich previews that let you hover over attachments to see what they contain; a Search mode that reflects your personalized settings for how you prefer to view your emails; a redesigned settings screen where your changes instantly update the app; and accessibility improvements, including support for NVDA and VoiceOver screen readers, as well as options for light-sensitive and low-vision readers.

The third major change is the introduction of Yahoo Mail Pro, an ad-free version of Yahoo Mail that includes customer support. This is an upgrade to Ad Free Mail, introduced a few years ago as an annual subscription.

Yahoo Mail Pro discounts the ad-free product by $15 for annual subscribers to $34.99 per year, and introduces a monthly option of $3.49/month. You can also choose to subscribe to a mobile-only version of the product for $0.99/mo or $9.99/yr, which delivers ad-free service on Yahoo’s Mail Apps for iOS or Android.

All subscriptions include priority support for desktop and mobile as well.

Yahoo Mail Pro is available on desktop and mobile (via in-app purchase) for all U.S., English-language users today, and will reach other markets soon. The redesigned desktop app is also available today globally, in English, with other languages to follow.

via:  techcrunch